The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Monday, March 29, 2010

The Privacy Commissioner of Canada has released a discussion paper on privacy issues related to "cloud computing". This is part of their broad outreach and consultation process on privacy and new technology. You can read it here: Reaching for the Cloud(s).

On a related topic, I will be one of the keynote speakers at the Town Hall being put on by the Commissioner in Calgary next month.

... A Scotland Yard spokesman said: "Police received an allegation regarding an incident that happened at Heathrow Terminal 5 on March 10. A first-instance harassment warning has been issued to a 25-year-old male."

The BAA employee took a photo of his co-worker, Jo Margetson, when she inadvertently went through a scanner.

"I can't bear to think about the body scanner thing," she told the Sun. "I'm totally traumatised. I've spoken to the police about it. I'm in too much of a state to go to work."...

Wednesday, March 17, 2010

Thanks to advanced statistical analysis and the plethora of digital crumbs scattered around the internet, every bit of data you leave behind (no matter how small) online can be used to piece together a link to your full identity and details. Scary stuff from the New York Times.

If a stranger came up to you on the street, would you give him your name, Social Security number and e-mail address?

Probably not.

Yet people often dole out all kinds of personal information on the Internet that allows such identifying data to be deduced. Services like Facebook, Twitter and Flickr are oceans of personal minutiae — birthday greetings sent and received, school and work gossip, photos of family vacations, and movies watched.

Computer scientists and policy experts say that such seemingly innocuous bits of self-revelation can increasingly be collected and reassembled by computers to help create a picture of a person’s identity, sometimes down to the Social Security number.

“Technology has rendered the conventional definition of personally identifiable information obsolete,” said Maneesha Mithal, associate director of the Federal Trade Commission’s privacy division. “You can find out who an individual is without it.”

In a class project at the Massachusetts Institute of Technology that received some attention last year, Carter Jernigan and Behram Mistree analyzed more than 4,000 Facebook profiles of students, including links to friends who said they were gay. The pair was able to predict, with 78 percent accuracy, whether a profile belonged to a gay male.

So far, this type of powerful data mining, which relies on sophisticated statistical correlations, is mostly in the realm of university researchers, not identity thieves and marketers.

But the F.T.C. is worried that rules to protect privacy have not kept up with technology. The agency is convening on Wednesday the third of three workshops on the issue.

Its concerns are hardly far-fetched. Last fall, Netflix awarded $1 million to a team of statisticians and computer scientists who won a three-year contest to analyze the movie rental history of 500,000 subscribers and improve the predictive accuracy of Netflix’s recommendation software by at least 10 percent.

On Friday, Netflix said that it was shelving plans for a second contest — bowing to privacy concerns raised by the F.T.C. and a private litigant. In 2008, a pair of researchers at the University of Texas showed that the customer data released for that first contest, despite being stripped of names and other direct identifying information, could often be “de-anonymized” by statistically analyzing an individual’s distinctive pattern of movie ratings and recommendations.

In social networks, people can increase their defenses against identification by adopting tight privacy controls on information in personal profiles. Yet an individual’s actions, researchers say, are rarely enough to protect privacy in the interconnected world of the Internet.

You may not disclose personal information, but your online friends and colleagues may do it for you, referring to your school or employer, gender, location and interests. Patterns of social communication, researchers say, are revealing.

“Personal privacy is no longer an individual thing,” said Harold Abelson, the computer science professor at M.I.T. “In today’s online world, what your mother told you is true, only more so: people really can judge you by your friends.”

Collected together, the pool of information about each individual can form a distinctive “social signature,” researchers say.

The power of computers to identify people from social patterns alone was demonstrated last year in a study by the same pair of researchers that cracked Netflix’s anonymous database: Vitaly Shmatikov, an associate professor of computer science at the University of Texas, and Arvind Narayanan, now a researcher at Stanford University.

By examining correlations between various online accounts, the scientists showed that they could identify more than 30 percent of the users of both Twitter, the microblogging service, and Flickr, an online photo-sharing service, even though the accounts had been stripped of identifying information like account names and e-mail addresses.

“When you link these large data sets together, a small slice of our behavior and the structure of our social networks can be identifying,” Mr. Shmatikov said.

Even more unnerving to privacy advocates is the work of two researchers from Carnegie Mellon University. In a paper published last year, Alessandro Acquisti and Ralph Gross reported that they could accurately predict the full, nine-digit Social Security numbers for 8.5 percent of the people born in the United States between 1989 and 2003 — nearly five million individuals.

Social Security numbers are prized by identity thieves because they are used both as identifiers and to authenticate banking, credit card and other transactions.

The Carnegie Mellon researchers used publicly available information from many sources, including profiles on social networks, to narrow their search for two pieces of data crucial to identifying people — birthdates and city or state of birth.

That helped them figure out the first three digits of each Social Security number, which the government had assigned by location. The remaining six digits had been assigned through methods the government didn’t disclose, although they were related to when the person applied for the number. The researchers used projections about those applications as well as other public data, like the Social Security numbers of dead people, and then ran repeated cycles of statistical correlation and inference to partly re-engineer the government’s number-assignment system.

To be sure, the work by Mr. Acquisti and Mr. Gross suggests a potential, not actual, risk. But unpublished research by them explores how criminals could use similar techniques for large-scale identity-theft schemes.

More generally, privacy advocates worry that the new frontiers of data collection, brokering and mining, are largely unregulated. They fear “online redlining,” where products and services are offered to some consumers and not others based on statistical inferences and predictions about individuals and their behavior.

The F.T.C. and Congress are weighing steps like tighter industry requirements and the creation of a “do not track” list, similar to the federal “do not call” list, to stop online monitoring.

But Jon Kleinberg, a professor of computer science at Cornell University who studies social networks, is skeptical that rules will have much impact. His advice: “When you’re doing stuff online, you should behave as if you’re doing it in public — because increasingly, it is.”

In preparation for the introduction, Facebook updated its privacy policy last November. The new policy states: “When you share your location with others or add a location to something you post, we treat that like any other content you post.”

At that time, the company also offered some foreshadowing of the new feature: “If we offer a service that supports this type of location sharing we will present you with an opt-in choice of whether you want to participate.”

Facebook has been working on a location-based tool for close to a year, but decided to wait until the product was completely ready for mainstream adoption before announcing it, said the people with knowledge of the project.

Monday, March 01, 2010

I've been a faithful follower of Cryptome for quite some time. Cryptome has been posting very interesting and controversial content on the internet since 1996. It was the first WikiLeaks. Recent readers would note some publications that are very interesting for those who are interested a look at the level of cooperation of between internet service providers and law enforcement. Some of the reaction has been overblown, in my view. Nobody should be surprised that service providers hand over customer information in response to warrants and subpoenaes. Where the law requires it, banks do it, pharmacies do it, libraries do it and credit card companies do it. I think it would be shocking if service providers didn't have policies and procedures for this. What would be more troubling would be the extent to which service providers hand over information in the absence of a lawful requirement.

Most recently, Microsoft served a DMCA notice on Cryptome and its hosting provider, demanding that their Global Criminal Compliance Handbook be removed. Cryptome countered and Microsoft ultimately caved. My personal view is that service providers should make this information public so that customers really understand their digital footprints.

So if you want to see what Facebook, AOL, PayPal, MySpace, AOL and Skype will provide in response to a lawful demand, check out Cryptome.

And for lawyers, these documents will tell you what you can expect to get in response to a lawful demand.

Please note that I am only able to provide legal advice to clients of my firm. If you have a privacy matter, please contact me about becoming a client. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser may not be protected by solicitor-client privilege.

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Due to professional ethics, the author may not be able to comment on matters in which a client has an interest. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.